If you think your small or midsize business is safe from cyberattacks because hackers and fraudsters focus only on the big guys, think again.

According to a CBIA survey released this month, nearly a quarter (24%) of Connecticut companies experienced a data breach or successful cyberattack in the past two years. Nearly 90% reported having 100 or fewer employees, and almost three quarters (74%) employ 50 or fewer people.

Cybersecurity breaches
Source: 2018 Cybersecurity Survey of Connecticut Businesses

Lack of financial resources (40%), expertise (26%), time (12%), and information (12%) were the top challenges hindering companies' ability to advance cybersecurity efforts.

A 2016 study from the Michigan-based Ponemon Institute found that 55% of the 598 small and midsize companies surveyed experienced a cyberattack in the 12 months prior to the survey, and 50% reported data breaches involving customer or employee information.

In 2014, 50% of small businesses reported they were victims of a cyberattack—that according to a report by Dr. Jay Vadiveloo, director of UConn’s Goldenson Center for Actuarial Research.

The same study noted that 61% of phishing attacks—fraudulent emails sent to obtain personal employee or business information—targeted small and midsize businesses in 2014.

Vadiveloo's study also found that despite the statistical evidence to the contrary, 85% of small and midsize businesses believe that large businesses have been targeted more often than smaller firms.

"Many small and midsize businesses feel cybersecurity is an enterprise problem, and they consider themselves too small to be on the radar of hackers," says Steve Martocchio, vice president of operations for Windsor-based Cooperative Systems.

"This is far from the truth. In fact, in the 2017 Verizon Data Breach Investigation Report, 61% of data breach victims were businesses with under 1,000 employees.

"SMBs don't necessarily have the expertise, time, or sometimes financial resources to invest in proper protections and strategy. These organizations are extremely vulnerable and face financial, reputational, and—potentially—legal risk."

'Dangerous Thinking'

Not only do smaller businesses often lack sophisticated cyber defenses, says the state's Chief Cybersecurity Risk Officer Arthur House, they sometimes derive a false sense of security from having just a single mode of defense—for example, a good IT person, a consulting company with good software, or employees who change their passwords frequently.

"It's self-evident that a less sophisticated system is more vulnerable than one with a lot of protections," says House. "And small businesses tend to be less adequately protected."

Formerly chairman of the Connecticut Public Utilities Regulatory Authority, House was appointed to his current post in 2016 by Gov. Dannel Malloy and charged with developing a cybersecurity strategy and action plan for the state.

The strategy document was released last summer; the action plan will be out this spring.

2018 Cybersecurity Survey of Connecticut Businesses

Cyberattacks on small entities, such as municipal governments, police and fire departments, and small businesses—including real estate agencies and law firms—are rampant, says House, and many of those entities had an "It won't happen to me" attitude before they were attacked.

"Cybercrime is by far the most rapidly growing form of crime in the world," says House.

"It can be perpetrated from just about anywhere in the world, and it’s the kind of thing many people would rather not confront.

"To think it's never going to happen to you is dangerous thinking. You have to assume that what's happening to everyone else, someday will happen to you as well.

"All the time we're finding people who say it couldn't happen to me, and then they have a ransomware attack and quickly have to find the players who can buy their way out of it, and then they have to bring in the IT people and do all the things they should have done to prevent it."

Don't Get Hooked

Small businesses are particularly vulnerable to phishing attacks, says Martocchio.

A phishing attack, he explains, occurs when an email containing a link to a malicious website or an attachment containing a virus or malware is sent to an unsuspecting recipient.

"The biggest challenge to the organization is the reliance on the employee to make a decision whether or not to open the email," says Martocchio.

"Phishing emails are created to look legitimate, so it can be tricky even for a trained person to differentiate, let alone someone who hasn't had training."

Many small and midsize businesses consider themselves too small to be on the radar of hackers.
— Cooperative Systems' Steve Martocchio
One of the most devastating results of a phishing attack is ransomware, says Martocchio, a situation where an organization's data is encrypted by a virus and held for ransom by cybercriminals.

"At that point, the business has a couple of options," says Martocchio.

"First and easiest is to recover the data from backup. If there isn't a backup available, a decision needs to be made about whether to pay the ransom or forgo the data.

"Regardless of whether the ransom is paid or not, an attack like this can easily cost an organization tens of thousands of dollars in lost productivity alone. Some businesses may even be forced to close because they can't afford the ransom, yet need the data to operate."

Reliable Thieves or Scoundrels?

Some organizations can emerge relatively unscathed from ransomware attacks, but preparation and a strong recovery plan is critical.

House recalls one Connecticut company that fell victim to an attack but had a support system in place to deal with it effectively.

The company's insurance carrier had special expertise in cybersecurity, and they called in a law firm that had negotiators on retainer who were experienced in dealing directly with cybercriminals.

"They negotiated down the price in Bitcoin," says House. "They could tell the customer whether the criminals were reliable—there's an 80% chance that if you pay the ransom, you'll get your data back—or whether they were scoundrels and there's absolutely no guarantee.

"It turns out that these were reliable thieves, and the law firm paid the ransom in Bitcoin.

"It's a good story, because the company had gone through the trouble and paid the price to connect with a first-rate insurance company that could manage the execution and escape. Then, of course, what they had to do was bring in an IT firm to make sure it never happened again."

Employees: Cybersecurity Assets, Threats

As Martocchio noted above, a company's cyber defenses are heavily reliant on employees having a high level of cybersecurity awareness and making good decisions.

The 2017 Dell End-User Survey found that all too often, however, employees make risky decisions.

The survey found that when employees handle confidential data, they often do by accessing, sharing, and storing the data in unsafe ways.

Forty-five percent of respondents admitted to engaging in unsafe behaviors throughout the workday—including connecting to public Wi-Fi to access confidential information (46%), using personal email accounts for work (49%), and losing a company-issued device (17%).

Nearly two in three employees (63%) are required to complete cybersecurity training on protecting sensitive data, but of those, 18% still engaged in unsafe behavior without realizing what they were doing was wrong, and 24% engaged in unsafe behavior anyway in order to complete a task.

Cybersecurity financial impact
Source: 2018 Cybersecurity Survey of Connecticut Businesses

"Every employee is a potential cybersecurity asset and a potential threat," says House.

"One Connecticut company with a policy prohibiting the use of thumb drives left some thumb drives in the parking lot, restroom, and cafeteria, just to see what employees would do.

"Some employees actually came in and plugged them into their computers to see what would happen."

The costs of such risky cyber behavior to businesses, small and large, can be huge.

"The disruption is significant," says House. "It has a devastating effect on the brand and, if you're publicly traded, on the stock price."

Recovering from a cyberattack and minimizing the damage can also carry a heavy monetary cost.

According to a survey of 403 senior business executives released by Hartford Steam Boiler last September, 72% of hacked businesses spent over $5,000 to investigate each cyberattack, restore or replace software and hardware, and deal with other consequences.

More than a third of the hacked businesses (38%) spent more than $50,000 to respond. Ten percent spent $100,000 to 250,000, and 7% more than $250,000.

'Patch, Patch, Patch'

To avert a cyberattack and all the unwanted consequences that go with it, House says company leadership must create the right corporate culture and defenses—and that, he says, means raising employee awareness.

"There's one utility in Connecticut that starts every meeting—whether it's to talk about the cafeteria, summer vacations, or flu shots—with a cyber tip. Why? Because they're creating a culture of cybersecurity awareness."

House recommends that business leaders talk to their employees about cyber hygiene.

"Log out when you leave the office, have a strong password and change it from time to time, and figure out what kinds of things might require two-factor authentication," he says.

An example of two-factor authentication, says CBIA chief information officer Tom Day, might be requiring employees who access a business application from a remote location via the internet to enter a password and a one-time-use code sent to them as an email or text message when they log in.

"Even if a cybercriminal steals your password, you'll still have your mobile phone, which is where the code gets sent, and that will foil the attack," says Day.

"Someone may have stolen your password, but they can't succeed without that second-factor code sent to your phone."

After you've been hacked is not the time you should be meeting cybersecurity professionals for the first time.
— State cybersecurity chief Art House
House also stresses the importance of applying patches and software updates to your devices as they become available.

"When some of the recent attacks have taken place, Microsoft had put out patches to prevent them years before," he says.

"Some companies around the world just hadn't applied the patches, and they're the ones who got hit."

Day points out that Microsoft issues patches monthly, "so you don't want to get behind."

Martocchio agrees.

"Patch, patch, patch," he says. "Most viruses and malware threats take advantage of known vulnerabilities in operating systems, browsers, and other commonly used software. Keeping current with security patching is key to minimizing risk."

Martocchio also offers these recommendations:

  • Implement a layered security model. Many small businesses think because they have antivirus software on their machines, they're protected. It's not enough. Second opinion anti-malware protection and DNS filtering are good add-ons when protecting workstations.
  • Ensure networks are protected with a business-class firewall that has intrusion detection and intrusion prevention services.
  • Deploy an anti-spam solution to minimize unwanted emails.
  • Back up data regularly and keep a current copy off-site. A backup solution with a cloud component is a good option.

'Make Employees Your Allies'

House and Martocchio are also strong proponents of employee training to ensure a culture of cybersecurity awareness.

"You have to know how to protect sensitive information, but you also want to make your employees contributors to a healthy cybersecurity environment," says House.

"Know what's vulnerable, know how to protect it, and make employees your allies. They need to be trained."

One solution, says Martocchio, is online training.

"There are several online platforms that provide training to employees on what to watch for and being security-focused," he says.

Day also recommends going a step beyond training to ensure employees will actually put what they’ve learned into practice.

"You can subscribe to services that will send fake phishing emails to employees so they can learn to identify them and you can measure the effectiveness of your training," he says.

Plan and Rehearse

If the unthinkable should happen and your company becomes a victim of a cyberattack, the preparations you made before it happened can mean the difference between a temporary disruption and a business-threatening catastrophe.

"Every business should have an incident response plan to ensure proper procedures are followed in the event of an attack," says Martocchio.

"If an incident response plan doesn't exist, be sure to involve someone who can evaluate the scope of the threat, determine if and what preservation is required, and take the appropriate remediation action."

Martocchio also strongly recommends that businesses purchase a cyber liability insurance policy.

"And verify that a breach coach is included," he advises. "If a data breach occurs, a breach coach will help guide the organization through the process of whom to notify, including customers and regulating bodies."

House also believes that preparation is the key to damage control in the event of a cyberattack.

"Don't be in a position of thinking about what you should do in case of an attack after one takes place," he cautions.

"Assume you're going to be attacked and run through a rehearsal. Determine what you would do, where attacks might come from, and what the consequences could be.

"You should have IT and operations responses ready for it. You should have a risk management system. You should know what attorney or insurance carrier you’re going to contact when an attack happens," House adds.

"After you've been hacked is not the time you should be meeting cybersecurity professionals for the first time."